Details

Updated pam packages that resolve bugs in pam_unix and pam_timestampmodules are now available for Red Hat Enterprise Linux.

PAM (Pluggable Authentication Modules) is a system security tool thatallows system administrators to set authentication policies without havingto recompile programs that handle authentication.

The pam_unix module is used for traditional UNIX authentication via/etc/passwd, /etc/shadow or NIS. The updated package resolves the followingissues:

A passwd command could falsely report a succesfull password change even ifthe change didn't succeed due to immutable /etc/shadow file.

A passwd command changed NIS password even if the user was maintainedlocally in the /etc/passwd file. Now it changes the local password instead.For changing the NIS password for such user it is necessary to use theyppaswd utility.

When logging in to a ssh server with a user with an empty password, itdidn't obey the 'PermitEmptyPasswords no' setting and allowed the user tolog in.

The pam_timestamp module is used for keeping root login access for systemadministration applications so the user doesn't have to enter the rootpassword each time the application is started.

The updated package now checks if the user starting the application hasalready logged out of the system after the previous root password entry andit ensures the user has to enter the root password again in such case.

All users of PAM should upgrade to these updated packages, which resolvethese issues.

Solution

Before applying this update, make sure all previously released erratarelevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only thoseRPMs which are currently installed will be updated. Those RPMs which arenot installed but included in the list will not be updated. Note that youcan also use wildcards (*.rpm) if your current directory *only* contains thedesired RPMs.

Please note that this update is also available via Red Hat Network. Manypeople find this an easier way to apply updates. To use Red Hat Network,launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriateRPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSLCertificate Errors, you need to install a version of theup2date client with an updated certificate. The latest version ofup2date is available from the Red Hat FTP site and may also bedownloaded directly from the RHN website: